CVE-2016-6366

What Is Cisco ASA?

Cisco Adaptive Security Appliance (ASA) is the dominant enterprise network firewall platform, deployed at network perimeters in thousands of large enterprises, government agencies, and service providers globally. ASA devices enforce network access policies, provide VPN termination (AnyConnect, IPSec), and perform NAT and stateful packet inspection for perimeter security. Compromising a firewall device provides a highly privileged network position — an attacker who controls the firewall can intercept all traffic passing through it, modify network access policies, and establish persistent footholds on the network perimeter.

Overview

CVE-2016-6366 is a buffer overflow vulnerability in Cisco ASA's SNMP packet processing code that can allow a remote attacker to cause a system reload (denial of service) or potentially execute remote code. Critically, this vulnerability was publicly disclosed as "ExtraBacon" — an exploit tool leaked by the Shadow Brokers group on August 13, 2016, claimed to be from the NSA's Equation Group hacking toolkit. The Shadow Brokers leak provided working exploit code for CVE-2016-6366 before Cisco had published a patch, creating a race between patching and exploitation. Cisco released the patch on August 17, 2016. CISA added CVE-2016-6366 to the KEV catalog in May 2022.

Affected Versions

Affected Cisco ASA software versions depend on the specific SNMP version in use. Consult Cisco's security advisory cisco-sa-20160817-asa-snmp for the complete version table. Generally, ASA software versions supporting SNMP v1, v2c, or v3 with SNMP enabled are affected. SNMP must be enabled and reachable for exploitation.

Technical Details

Root Cause: SNMP Packet Buffer Overflow

CVE-2016-6366 is a classic buffer overflow (CWE-120) in Cisco ASA's SNMP processing code. SNMP (Simple Network Management Protocol) allows network management systems to monitor and configure network devices. When Cisco ASA processes specially crafted SNMP packets — SNMP GET, SET, or trap operations with malformed or oversized fields — the SNMP handler copies packet data into a fixed-size buffer without properly validating the data length. The overflow corrupts adjacent memory, potentially enabling code execution or causing a crash (denial of service / device reload).

SNMP exploitation prerequisites:

• SNMP must be configured and accessible on the ASA (not enabled by default)
• For SNMP v1/v2c: the attacker needs the SNMP community string (often the default "public" or "private")
• For SNMP v3: the attacker needs valid SNMP v3 credentials
• The SNMP management interface port must be reachable (typically UDP 161)

The CVSS PR:L (Privileges Required: Low) reflects the need for SNMP community string knowledge.

ExtraBacon — Shadow Brokers Disclosure

On August 13, 2016, the Shadow Brokers group published a collection of hacking tools claimed to be from the NSA's Equation Group, including "ExtraBacon" — a working exploit for the Cisco ASA SNMP buffer overflow. The ExtraBacon tool was a sophisticated exploit developed against Cisco ASA that:

• Targeted specific ASA firmware versions with the exact memory offsets needed for reliable exploitation
• Provided a working SNMP-based RCE tool against the perimeter firewall of targets
• Was available publicly before Cisco had released a patch

Cisco issued the security advisory and patch on August 17, 2016 — four days after the Shadow Brokers leak and before most organizations could patch.

Attack Characteristics

Discovery

CVE-2016-6366 was discovered by the NSA's Equation Group (based on the Shadow Brokers attribution) and weaponized as the ExtraBacon exploit. Public disclosure occurred when Shadow Brokers published the tool on August 13, 2016, prompting Cisco's immediate security response.

Exploitation Context

• ExtraBacon state-level tool: The ExtraBacon exploit in the Shadow Brokers dump represents NSA-grade tooling against enterprise firewalls; the precision of ASA version-specific memory offsets in the exploit indicates significant prior research and development by sophisticated nation-state actors
• Enterprise firewall targeting: Compromising a Cisco ASA at a network perimeter provides an exceptionally privileged attack position — all traffic flowing through the device is visible, VPN session keys can be extracted, and network access policy can be modified; nation-state actors specifically seek to compromise perimeter network devices for persistent access
• Shadow Brokers ongoing impact: The August 2016 Shadow Brokers dump and subsequent leaks (including EternalBlue in April 2017) demonstrated that NSA offensive tools were compromised and published; Cisco, Microsoft, and other vendors raced to patch vulnerabilities exposed in the dumps
• SNMP as attack surface: SNMP is a common attack surface in network devices — enterprise networks often have SNMP enabled with default or weak community strings on management interfaces that are more broadly accessible than intended
• CISA KEV (2022): Added May 2022 alongside CVE-2016-6367 (companion Cisco ASA vulnerability), reflecting continued exploitation

Remediation

1. Apply Cisco security advisory cisco-sa-20160817-asa-snmp patches — upgrade ASA software to the patched version for your hardware platform per the advisory's fix table.

2. Disable SNMP if not required — if SNMP monitoring is not in use, disable SNMP on the ASA entirely: no snmp-server. This eliminates the attack surface.

3. Restrict SNMP access — if SNMP is required, configure ACLs to allow SNMP only from specific authorized management system IP addresses: snmp-server host <mgmt-interface> <monitor-ip> community <string> with a corresponding ACL.

4. Use SNMP v3 with authentication and encryption — replace SNMP v1/v2c (which use plaintext community strings) with SNMP v3 with auth and priv settings; this prevents community string sniffing and makes credential guessing harder.

5. Audit SNMP community strings — change all SNMP community strings from defaults ("public", "private") to long random values, and rotate them.

6. Monitor ASA syslog for SNMP anomalies — configure Cisco ASA to log SNMP authentication failures and unexpected SNMP poll sources; alerts on anomalous SNMP activity may indicate reconnaissance or exploitation attempts.